Anti-leech protection for advanced website applications

Currently, websites may encounter leeching problems, including image leeching, music or video files (such as mp3 and Flash files. I believe many of my friends have encountered the theft of links to files on the website, especially images. Next we will analyze the principles and solutions for this problem.

The so-called leeching: refers to the files on your website directly linked to the website of the other party, rather than placing the files on your own server. Generally, the leeching objects are mostly large files with high bandwidth consumption, in a sense, this actually causes you to pay for your access traffic: not only is your server bandwidth occupied without any return, but also, it usually affects the access speed of your website in a large program.

How to steal links: Just use the most basic html knowledge, such as using img to nest an image in published articles, and using href to link a file for download.

Anti-leeching principle and implementation method: This method is used to determine whether the Referer header is your own domain name. For example, I will talk about apache's implementation of prohibiting image leeching later.

The following uses an image as an example to describe this.

Purpose: we should not only block/prohibit unauthorized access to the website, but also forward the requests to the website, let readers know who is the real publisher (image source website)

To set the rul rewrite function of apache, add the following settings to. htaccess to implement this function. Disable image leeching.

RewriteEngineon

Enable rewrite url

RewriteCond % REQUEST_URI! ^/Allow/. * $

Excluded URLs. This is very important because these are filtered by referer later. Therefore, you can enable this feature to perform "leeching" so that users can correctly display websites with errors.

RewriteCond % REQUEST_FILENAME. (gif?pngjpg) $ NC

To determine whether an image file is used, you can set more file types as needed. It can also be an exe or something.

RewriteCond % HTTP_REFERER! ^ $

The above line is intended to allow access with an empty "HTTP_REFERER", that is, to allow users to directly enter the image address in the browser address bar to display the image file. It is recommended that if you force "HTTP_REFERER" to be accessed, some problems may occur, such as entering the address directly in the url address bar.

RewriteCond % HTTP_REFERER! Chinaitlab. comNC

RewriteCond % HTTP_REFERER! Google. comNC

RewriteCond % HTTP_REFERER! Baidu. comNC

Set the HTTP source that can be accessed, including the website itself, Google, Baidu, and so on.

RewriteRule (. *)/allow/error.gifs R = 301, NC, L

Redirects non-Referer conditions to error.gif. Whether or not error.gif is located in the allow directory where "leeching" is allowed. You should pay attention to it. Otherwise, warning information and images cannot be displayed on the website of the other party.

As shown above, we have implemented the functions we need. Not only does it block/prohibit access to non-website leeching, but it also transfers the leeching request to its own website to let readers know who is the real publisher (image source website)

Anti-leech settings for other types of files

If your website has other files with high bandwidth consumption, such as flash files and mp3 files, which are leeched by other websites, you can also adopt the above policies, for example, for Flash files, the following settings are available:

RewriteCond % REQUEST_URI ^/allow

Rewritecond#request_filename.swf $ NC

RewriteCond % HTTP_REFERER! ^ $

RewriteCond % HTTP_REFERER! Chinaitlab. comNC

RewriteRule (. *)/allow/error.swf R = 301, NC, L

Of course, the flash file "error.swf" that requires prior copyright notice is required ". Other anti-leech settings, such as mp3 files and compressed files (zip or rar), are the same.

Of course, the referer mentioned above may have master fraud, so we still have more advanced methods. for example, adding User-Agent and other headers for judgment, such as Cookie judgment to record the IP addresses that have been compared, controlling the settings of sessions when accessing the page, and determining whether the session has been accessed when accessing images.

Author: Fu Kai

(Source: it lab weekly)